This solution does not take into account qmail-ldap clustering.
Also, I assume that all virtual users are under the same uid/gid and that the imap server is started from tcpserver
Since the imapd daemon is started from tcpserver with someting like this:
We "just" have to write a new authentication program, that we will call auth_cas, which is able to understand proxy tickets as valid authentication tokens. In particular, the proxy ticket will be used as the user password, and the perl client AuthCAS will be used to validate the proxy ticket and to retrieve the username of the user trying to log-in.
We immediately see a small complication: most webmail interfaces store the user password in some form (encrypted and stored in a browser cookie, or encrypted and stored in session data). So we have to use imapproxy (see www.imapproxy.org ) to established a persisten imap connection with qmail-ldap. By using imapproxy, the webmail client passes the proxy ticket to imapproxy dameon, and this talk with the real imap daemon (which we are going to CASify).
Installing and configuring imapproxy is very simple, just follow the instruction on their website. The configuration I use is the following:
So, imapproxy will be listening on 127.0.0.1:800, and will forward imap connections to 127.0.0.1:843, where qmail-ldap imap daemon is listening.
This is the script that does the real work. It validates proxy tickets, and launches the imapd daemon. If the proxy ticket validates correctly, we retrieve user information from the LDAP server, and set the environment variables needed for courier-imapd.
auth_cas.pl needs to be run as user /var/qmail/control/ldapuid and group /var/qmail/control/ldapgid. If your perl installation does not allow setuid perl script, you will have to compile a small wrapper auth_cas which is setuid and calls auth_imap.pl:
Adjust the REAL_PATH, compile with gcc, setuid the executable and use this in the run file of qmail.
The final step is to integrate the webmail authentication with the casified imap daemon. If your webmail is php based, you will of course use phpCAS. For instance, for squirrelmail I use something like this: first I authenticate the users, the I build a form with username and proxy ticket as password, then this form is submitted to standard squirrelmail authentication page.